Security test (software)

Security tests are software tests that test the security of software . They are a way of increasing information security . The tests can begin as soon as the first line of code has been written so that errors can be detected as early as possible.

particularities

Security tests have a different question than most of the other, general tests, because they are intended to provide evidence that software does not contain functions that it should not contain. Therefore, security tests are mostly so-called negative tests . Furthermore, security tests should provide evidence that there are no unsafe side effects in a program, because a single error is enough to compromise the entire program. The formulation of a security test is usually problematic because the patterns of the vulnerabilities cannot be defined precisely enough. However, security tests can never prove that software is one hundred percent secure.

target

The aim of security tests is to find security-critical vulnerabilities in programs. In this way, an attempt is made to ensure the absence of vulnerabilities in software. It is important that the tests extend over the entire program because, as mentioned above, a single error is sufficient to compromise the entire program.

Programming error

Security tests are designed to find all bugs within a program. Most of these safety-critical errors can be traced back to a few causes. The most common cause are programming errors . There are various schemes for categorizing these programming errors in order to clearly separate the individual errors from one another. The most frequently mentioned categories are the following:

• Cross site scripting
• SQL injection
• Failing to Protect Data
• Buffer overflow
• Improper error handling
• Information leakage
• Integer overflow and underflow
• unsafe handling of file links
• Race Conditions
• Format string attacks
• Etc.

As part of the Open Web Application Security Project (OWASP), an application ( WebGoat ) was developed that helps the user to understand and understand the various programming errors. This application is therefore also a good starting point for developing security tests.

Tools

The tools listed below are mostly safety test tools. Some of the tools are open source .

• Jlint (Java)
• PQL / bddbddb (Java)
• Nikto (pearl)
• RATS (C, C ++)
• WebScarab
• ITS4 (C, C ++)
• Virtual Forge CodeProfiler (SAP ABAP)
• Fortify SCA Suite (Java, C, C ++ etc.)
• Beyond Security beSTORM (fuzzing tools for over 140 different protocols, e.g. IPv4, IPv6, SIP, DHCP)
• Microsoft Security Development Lifecycle (SDL) (8 freely available applications)

See also

• Proof-Carrying Code

literature

• Michael Howard, David LeBlanc: Writing secure code. Practical strategies and proven techniques for building secure applications in a networked world. 2nd edition. Microsoft Press, Redmond, WA 2003, ISBN 0-7356-1722-8

Web links

• Open Web Application Security Project
• Federal Office for Information Security (BSI): Catalog of measures and best practices for the security of web applications
• Safety-relevant programming errors (PDF; 1.1 MB)
• Security Developer Center on MSDN
• The great Application Security Penetration Test FAQ for clients